Now that schedules are returning to normal, it’s appropriate to review the events of last week and reflect on the lessons learned with the benefit of hindsight.
1. Risk planning is forever altered.
To me, risk is the likelihood of an event multiplied by the impact of that event.
Risk management for BIDMC IT now uses the NIST 800 framework, so areas of risk are formally enumerated. However, it still requires judgment about mitigation strategies.
At 2:50 p.m. on April 15, seven BIDMC IT staffers were volunteering in the medical tent/working at the Marathon finish line, a few feet from the explosions. They were among the first responders assisting the injured. Their work in a medical community gave them the strength to stay calm but could not have prepared them for the scenes of destruction they witnessed. All my staff members were safe and unharmed, but given their proximity to the bombs, the outcome could have been devastating.
As we think about risk planning in the future, we’ll need to consider the events of last week when told something as innocent as “the majority of the database administration team is going to volunteer at the Marathon.”
2. Secure remote access to all systems is critical to operations.
As we continue to enhance the security of our applications and networks, we’re limiting remote access to those with a true need to use systems from off-campus. As the events of last week illustrated, we need to plan for future events which shut down the city for five days and require many people to work from home if travel is restricted or a “shelter in place” order is given.
3. We need to consider restrictions on physical access to the data centers.
The restrictions on travel to and from communities plus restrictions on entering/leaving BIDMC were imposed with an unknown duration. Our disaster recovery planning needs to include scenarios such as no staff being able to enter the data center and no staff being able to leave the data center.
4. We may need to consider novel audit workflows.
We capture every lookup in real time and perform many analytics to ensure patient privacy preferences are respected.
We placed the following message at the top of our intranet for every staff member to see on every page:
Urgent Reminder for All BIDMC Staff About Patient Privacy
Staff must completely protect patient privacy according to federal HIPAA regulations and BIDMC’s own privacy policies. That means:
- No sharing of ANY patient information through email, Twitter, Facebook, Flickr or other photo sites, any other social media, phone calls or conversations — or any other way.
- Do not look at, or access by computer, medical records or other protected health information (PHI) or personal information (PI) unless you are authorized to access that information AND you need that information to care for the patient.
- Send all media calls to the Communications Department or page the Media Relations staff on call.
Violation of these regulations and policies will lead to disciplinary action up to and including termination of employment.
Most importantly, thank you to the overwhelming majority of BIDMC staff who are doing an excellent job of keeping all patient information secure.
Might there be new workflows required in the future such that appropriate individuals are paged or notified within seconds after a lookup occurs? In an emergency/mass casualty disaster, how can we balance the need for increased security/privacy and appropriate access with real-time auditing alerts?
5. The need for healthcare information exchange in a mass casualty disaster is very clear.
When patients have a choice of caregiver — a patient-centered medical home or accountable care organization — a lifetime medical record is likely to be available to support safe, quality, efficient care.
The events of last week required patient routing based on acuity, urgency, and availability of resources. BIDMC, Massachusetts General, Brigham and Women’s Hospital, and Boston Children’s Hospital did a remarkable job treating every patient — even with incomplete medical information. The Massachusetts Healthcare Information Exchange (“the Mass HIWay”) is currently in production for “pushing” summaries from organization to organization. Last week’s events illustrate the importance of our second phase, now under construction, for secure retrieval of information based on a record locator service and a patient consent registry. By the second quarter of 2014, we should have the infrastructure in place to support the kind of data exchanges that would have been helpful last week — a first-in-the-country kind of capability.
IT in general experiences more demand than supply. Last week, we learned firsthand how technology can support a disaster. As we think about all the work on our plates, our plans going forward must incorporate our recent experiences.